Russion hackers get 1.2 billion usernames/passwords

[allisolm]

Just in case you haven't had one stolen in any of the earlier attacks, you could still get in on this.

http://money.cnn.com/2014/08/05/technology/security/russian-hackers-theft/index.html?hpt=hp_t1

Although they aren't revealing the names of the webites hacked (gee thanks! ) Hold Security founder Alex Holden told CNNMoney that the trove includes credentials gathered from over 420,000 websites -- both smaller sites as well as "household names." The criminals didn't breach any major email providers, he said.

 

[Markbnj]

Meaning they have the hashed password values, I assume. If that's true and your password has a decent amount of entropy you're likely still ok, although they are getting better with dictionary attacks.

 

[SunnyD]

Meaning they have the hashed password values, I assume. If that's true and your password has a decent amount of entropy you're likely still ok, although they are getting better with dictionary attacks.

The dictionaries that are available cover probably better than 80% of the user base in terms of passwords. Brute force cracking power will make the rest a rather trivial exercise given the standards used currently across the world.

 

[cubby1223]

Meaning they have the hashed password values, I assume. If that's true and your password has a decent amount of entropy you're likely still ok, although they are getting better with dictionary attacks.

They got the passwords from sql injection. I think it's likely a site that still has sql injection vulnerabilities is also saving the password in plain text

 

[edro]

If you have a non-dictionary based password, you should be ok, right?

Like: hpteX5xuu

 

[foghorn67]

Russion? Like a Russian Renee Russo?

 

[highland145]

How do they get 420K sites at one time?

 

[T9D]

Mines hakuna matata

It means no worries for the rest of your days. So I should be fine.

 

[D1gger]

This is a typical password I use: DCDQ0Z86sMjY. Generated by and stored by Lastpass.

 

[SunnyD]

If you have a non-dictionary based password, you should be ok, right?

Like: hpteX5xuu

8 characters, likely dictionaried. Last I was researching, a password of that complexity was crackable in about 20 minutes with current technology and available dictionaries.

 

[Markbnj]

The dictionaries that are available cover probably better than 80% of the user base in terms of passwords. Brute force cracking power will make the rest a rather trivial exercise given the standards used currently across the world.

Yeah but that's only because so many people use passwords with low-entropy, right? I know they have gotten a lot smarter about substitutions, so simple things like Pa33w0rd aren't safe, but I think if you have a password with any significant entropy you're probably safe.

 

[Markbnj]

8 characters, likely dictionaried. Last I was researching, a password of that complexity was crackable in about 20 minutes with current technology and available dictionaries.

You really think that password is dictionaried? I'm surprised.

 

[Markbnj]

They got the passwords from sql injection. I think it's likely a site that still has sql injection vulnerabilities is also saving the password in plain text

Yeah, quite possibly. Hopefully also not a site I would create an account on.

 

[D1gger]

This is a typical password I use: DCDQ0Z86sMjY. Generated by and stored by Lastpass.

For the above password this site predicts:

"It would take a desktop PC about 25 thousand years to crack your password"

 

[SunnyD]

Yeah but that's only because so many people use passwords with low-entropy, right? I know they have gotten a lot smarter about substitutions, so simple things like Pa33w0rd aren't safe, but I think if you have a password with any significant entropy you're probably safe.

To be fair, the entropy for low order passwords really doesn't matter simply because of dictionary attacks. Plus with each data breach, the comparative lists and dictionaries simply grow, filling in the blanks as they get more data. Coupled with the slower brute force for the high value targets as they go, they get to make their climb faster than we can remember deeper password depths.

Honestly, it's a losing battle no matter how you look at it.

You really think that password is dictionaried? I'm surprised.

I miscounted, 9 characters, but a two character run at the end no less...

Last I heard though most 8 character passwords weren't safe - hence the ~80% target. That meant 9 character was starting to get worked on, and the 10 character realm is the starting point for "currently safe, for now*" with the usual caveats.

This all comes from the last set of crypto statistical studies I paid attention to over the course of the past year or so. The whole notion from the hackers' side of things is that they can build a very effective dictionary database simply by stealing enough existing password databases and cracking a few passwords from each.

 

[soulcougher73]

No more passwords. We need DNA sample systems built into our phones and PCs..its the only way

 

[Eug]

For the above password this site predicts:

"It would take a desktop PC about 25 thousand years to crack your password"

ModeratorProgramming would take 165 quadrillion years to crack with a typical PC.

MarkbnjModeratorProgramming would take 170 octillion years.

 

[Exophase]

To be fair, the entropy for low order passwords really doesn't matter simply because of dictionary attacks. Plus with each data breach, the comparative lists and dictionaries simply grow, filling in the blanks as they get more data. Coupled with the slower brute force for the high value targets as they go, they get to make their climb faster than we can remember deeper password depths.

Honestly, it's a losing battle no matter how you look at it.

If we're talking about a random alphanumeric string, the only way it'll be on a dictionary is if someone used it as a password before. Unless you're thinking of a dictionary that has every random string up to N characters in it, but then it's no different from brute force. And of course no one has a password list with something like 2^48 8-character entries in it.

At some point the dictionary is going to be too large to make sense over brute force - it's a lot slower to look up a password from a big list than to iterate to the next in a series of all possible passwords, probably even more true for the GPUs running the big parallel cracking algorithms. You'd probably switch between progressively larger dictionaries and various iterative searches.

 

[Jeff7]

The dictionaries that are available cover probably better than 80% of the user base in terms of passwords. Brute force cracking power will make the rest a rather trivial exercise given the standards used currently across the world.

And with so many passwords available to analyze, you can find patterns.

The human brain needs patterns in order to remember a password.

A random password generator should be better; then store your passwords in at least two offline and heavily-encrypted locations.

If you have a non-dictionary based password, you should be ok, right?

Like: hpteX5xuu

There are password dictionaries that contain billions of passwords.
hpteX5xuu isn't very long, and it doesn't contain spaces or punctuation. It does at least contain one capital letter though.


I like sites that let you use upper-ASCII characters.
±∞°




In any case, hopefully the server containing your important information also has internal encryption - the perimeter defenses should not be the only obstacle. "Should" is of course a very important word here.

For the above password this site predicts:

"It would take a desktop PC about 25 thousand years to crack your password"

Just watch, we'll find out that it's a Russian hacking ring running that site.


"Here's a stupid thought: What if we just ask people for their passwords?"



"Password12345? Golly, that's a really secure password! Thumbs up for you! That would take a government supercomputer 500 quadribillion years to figure out! It's so secure that you should use it for all of your accounts."

 

[William Gaatjes]

How do these guys crack the password belonging to a given user name ?

I mean, for example the forum allows 5 retries for entering password and user name. Then the account belonging to the user name(If it is correct) gets blocked. So, there is a timeout that must pass in between entering passwords to prevent from being blocked and locked out.

Typically , online banking allows for 3 login retries before the account belonging to the username(If correct) gets blocked. Here there is also a time out delay between wrong logins.
I think that if you use a wrong username and password for online banking, that the online banking website starts logging the ip from the (possible) perpetrator and other data that might be important.

But how can you crack a password if you have only a limited amount of retries ?

I can imagine that if you have a zipfile with a password protection that you can try as long as you like, unless the winzip (Or 7zip) program also blocks attempts to enter the password after a given amount of retries.

 

[darkewaffle]

I miscounted, 9 characters, but a two character run at the end no less...

Last I heard though most 8 character passwords weren't safe - hence the ~80% target. That meant 9 character was starting to get worked on, and the 10 character realm is the starting point for "currently safe, for now*" with the usual caveats.

This all comes from the last set of crypto statistical studies I paid attention to over the course of the past year or so. The whole notion from the hackers' side of things is that they can build a very effective dictionary database simply by stealing enough existing password databases and cracking a few passwords from each.

Length matters, but more importantly "hpteX5xuu" is not a recognizable iteration (to my knowledge) of any existing word/phrase/'string' which would most likely comprise the core of a dictionary/hybrid attack. Chances are it's more secure than a much longer password like "smellsliketeenspirit" (or even "5m377571k3t33n5p1r17") or "supercalifragilisticexpialidocious" because those have a very high chance of being guessed (or being a modulation of a 'base' guess in the case of "5m377571k3t33n5p1r17") regardless of length because crackers are now beginning to understand not just how to crack passwords, but also how people create them.

The article that image is sourced from is about two years old but the thing to take note of is that even the cloud computing solution still ran into the same wall when making brute force attacks on an 8 character password (assuming a standard 95 character set of english letters/numbers/symbols is used). Probably the primary issue with "hpteX5xuu" would be that no symbol would mean it would be susceptible to a more targeted brute force attack (eg: one simply testing letters and numbers, no symbols) which would substantially decrease the amount of time necessary - although brute forcing 9 characters would still be quite time consuming, an 8 character brute force with a modulation to double up on the final character could also plausibly crack it.

That said, how vulnerable the passwords are in the OP's article depends more on the hash method and salting than anything else really.

 

[darkewaffle]

How do these guys crack the password belonging to a given user name ?

It's not done 'online'. The idea is that the server holding the files containing the (hopefully) hashed passwords is compromised and the files are able to be copied and extracted for manipulation.

 

[William Gaatjes]

It's not done 'online'. The idea is that the server holding the files containing the (hopefully) hashed passwords is compromised and the files are able to be copied and extracted for manipulation.

Aha. That makes sense.

The perpetrators retrieve the password file and then use brute force computing power to decode the encoded password file.

 

[slayernine]

8 characters, likely dictionaried. Last I was researching, a password of that complexity was crackable in about 20 minutes with current technology and available dictionaries.

Dictionaries only work when there is no mechanism that locks out accounts for repeated failed password attempts. So a computer can't hammer Facebook.com with a million different password combinations over 20 minutes to break into your account because the Facebook server knows what is up.

 

[slayernine]

Aha. That makes sense.

The perpetrators retrieve the password file and then use brute force computing power to decode the encoded password file.

And then they use it to decode my encrypted excel spreadsheet that has all my super secret casserole recipes.